feat: add readonlyRootFilesystem prop to specify whether the contai…

…ner is given read-only access to its root file system feat: add `containerInsights` prop to enable CloudWatch insights fix: Replace deprecated state machine definition chore: add changeset
guardian · Feb 23, 2024 · edf5c7a · edf5c7a
1 parent 42c6bd1
commit edf5c7a
Show file tree

Hide file tree

Showing 3 changed files with 32 additions and 2 deletions.
diff --git a/.changeset/brown-starfishes-grin.md b/.changeset/brown-starfishes-grin.md
@@ -0,0 +1,9 @@
+---
+"@guardian/cdk": minor
+---
+
+- Add `readonlyRootFilesystem` prop to specify whether the container is given read-only access to its root file system
+
+- Add `containerInsights` prop to enable CloudWatch insights
+
+- Replace deprecated state machine definition
diff --git a/src/constructs/ecs/__snapshots__/ecs-task.test.ts.snap b/src/constructs/ecs/__snapshots__/ecs-task.test.ts.snap
@@ -202,6 +202,12 @@ exports[`The GuEcsTask pattern should create the correct resources with lots of
     "testecstaskecstestClusterCBD4036C": {
       "Properties": {
         "ClusterName": "ecs-test-cluster-TEST",
+        "ClusterSettings": [
+          {
+            "Name": "containerInsights",
+            "Value": "disabled",
+          },
+        ],
         "Tags": [
           {
             "Key": "App",
@@ -546,6 +552,7 @@ exports[`The GuEcsTask pattern should create the correct resources with lots of
             },
             "Memory": 1024,
             "Name": "test-ecs-task-ecs-test-TaskContainer",
+            "ReadonlyRootFilesystem": true,
           },
         ],
         "Cpu": "1024",

diff --git a/src/constructs/ecs/ecs-task.ts b/src/constructs/ecs/ecs-task.ts
@@ -14,7 +14,7 @@ import {
 } from "aws-cdk-lib/aws-ecs";
 import type { PolicyStatement } from "aws-cdk-lib/aws-iam";
 import { Topic } from "aws-cdk-lib/aws-sns";
-import { IntegrationPattern, JsonPath, StateMachine, Timeout } from "aws-cdk-lib/aws-stepfunctions";
+import { DefinitionBody, IntegrationPattern, JsonPath, StateMachine, Timeout } from "aws-cdk-lib/aws-stepfunctions";
 import type { TaskEnvironmentVariable } from "aws-cdk-lib/aws-stepfunctions-tasks";
 import { EcsFargateLaunchTarget, EcsRunTask } from "aws-cdk-lib/aws-stepfunctions-tasks";
 import { Construct } from "constructs";
@@ -121,6 +121,16 @@ export interface GuEcsTaskProps extends AppIdentity {
    * shoud set this value to `false`.
    */
   enableDistributablePolicy?: boolean;
+  /**
+   * When this parameter is true, the container is given read-only access to its root file system.
+   * @default false
+   */
+  readonlyRootFilesystem?: boolean;
+  /**
+   * If `true`, CloudWatch Container Insights will be enabled for the cluster
+   * @default false
+   */
+  containerInsights?: boolean;
 }
 
 /**
@@ -168,6 +178,8 @@ export class GuEcsTask extends Construct {
       securityGroups = [],
       environmentOverrides,
       enableDistributablePolicy = true,
+      readonlyRootFilesystem = false,
+      containerInsights = false,
     } = props;
 
     if (storage && storage < 21) {
@@ -182,6 +194,7 @@ export class GuEcsTask extends Construct {
       clusterName: `${app}-cluster-${stage}`,
       enableFargateCapacityProviders: true,
       vpc,
+      containerInsights,
     });
 
     const taskDefinition = new TaskDefinition(scope, `${id}-TaskDefinition`, {
@@ -202,6 +215,7 @@ export class GuEcsTask extends Construct {
         streamPrefix: app,
         logRetention: 14,
       }),
+      readonlyRootFilesystem,
     });
 
     if (enableDistributablePolicy) {
@@ -230,7 +244,7 @@ export class GuEcsTask extends Construct {
     });
 
     this.stateMachine = new StateMachine(scope, `${id}-StateMachine`, {
-      definition: task,
+      definitionBody: DefinitionBody.fromChainable(task),
       stateMachineName: `${app}-${stage}`,
     });